[Rdo-list] [Heat ]unauthorized to use heat
Steven Hardy
shardy at redhat.com
Fri Jul 10 09:43:13 UTC 2015
On Fri, Jul 10, 2015 at 12:15:32AM -0400, Adam Young wrote:
> On 07/09/2015 03:33 AM, pauline phaure wrote:
>
> Hey there, can anyone please help me.
>
> In order to use any service, you need a scoped token. I suspect taht the
> Heat API is limited to Admin users, and maybe you are using the demo user
> token?
Nearly all heat API paths should be accessible to non-admin users.
> http://git.openstack.org/cgit/openstack/heat/tree/etc/heat/policy.json
>
> You don't say What API you are trying to call. Most of the Heat APIs look
> like they are:
>
> "deny_stack_user": "not role:heat_stack_user",
This is a common mistake, "real" users accessing the heat service should
*not* have the heat_stack_user role - this role is reserved for internal
use inside heat, and is used to limit the API surface available to
in-instance agents.
> But a few are "role:admin",
>
> "stacks:global_index": is deny everybody
Yeah, these are a couple of things like this, but all API operations
required for normal usage of heat should be accessible to non-admin users.
The "deny everybody" one is a special case, designed to disable a global
lookup which the community felt was unsafe to enable by default, e.g to
force deployers to secure it with their own role/policy.
Steve
More information about the rdo-list
mailing list